|
bugcheck in process explorer |
Post Reply 
|
| Author | |
danmcleran 
Newbie 
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: bugcheck in process explorerPosted: 03 January 2013 at 6:04pm |
|
Has anyone else seen this? I was running process explorer on a Win 8 64-bit target. I had dbl-clicked on a process and then dbl-clicked on one of its threads.
1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff88015885038, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff8801657df9d, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: fffff88015885038 FAULTING_IP: PROCEXP141+1f9d fffff880`1657df9d 488b4238 mov rax,qword ptr [rdx+38h] MM_INTERNAL_CODE: 0 IMAGE_NAME: PROCEXP141.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4bc6db36 MODULE_NAME: PROCEXP141 FAULTING_MODULE: fffff8801657c000 PROCEXP141 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: procexp64.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff801313f40ea to fffff801312f3930 STACK_TEXT: fffff880`179ceb78 fffff801`313f40ea : 00000000`00000000 00000000`00000050 fffff880`179cece0 fffff801`313784b8 : nt!RtlpBreakWithStatusInstruction fffff880`179ceb80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDebugBreak+0x12 STACK_COMMAND: .bugcheck ; kb FOLLOWUP_IP: PROCEXP141+1f9d fffff880`1657df9d 488b4238 mov rax,qword ptr [rdx+38h] SYMBOL_NAME: PROCEXP141+1f9d FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d Followup: MachineOwner --------- |
|
 |
|
|
MagicAndre1981
Moderator Group 
Joined: 08 January 2007 Location: Germany Status: Offline Points: 1456 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2013 at 7:04pm |
|
I've seen this with an older ProcExp version (12.04). Which one do you use?
|
|
|
|
|
danmcleran
Newbie
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2013 at 8:03pm |
|
I was using v14.01. I just realized I ran the 32-bit version on my 64-bit target. I would not think that's a problem but it might be.
|
|
|
|
|
danmcleran
Newbie
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2013 at 8:17pm |
|
That's weird. When I came back from the crash, I saw 2 shortcuts: procexp and procexp64. I ran both one after the other and now I only see procexp. Strange behavior. I repeated what I did before with the same result (bugcheck).
1. Run procexp.exe as admin. 2. dbl-click on one of my svchost.exe processes. 3. open Threads tab. 4. dbl-click on a thread (ntdll.dll!RtlRegisterThreadWithCsrss + 0x174) 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff880055b4038, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff880176eaf9d, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: unable to get nt!MmPoolCodeStart unable to get nt!MmPoolCodeEnd fffff880055b4038 FAULTING_IP: PROCEXP141+1f9d fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h] MM_INTERNAL_CODE: 0 IMAGE_NAME: PROCEXP141.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4bc6db36 MODULE_NAME: PROCEXP141 FAULTING_MODULE: fffff880176e9000 PROCEXP141 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: procexp64.exe CURRENT_IRQL: 0 TRAP_FRAME: fffff8801608b520 -- (.trap 0xfffff8801608b520) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff880055b4040 rbx=0000000000000000 rcx=fffffa8007ef86c0 rdx=fffff880055b4000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff880176eaf9d rsp=fffff8801608b6b0 rbp=fffff98005b6efe0 r8=fffff8a00225c001 r9=0000000000000001 r10=0000000083350028 r11=fffff8801608b8e0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc PROCEXP141+0x1f9d: fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h] ds:af10:4038=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80194c010ea to fffff80194b00930 STACK_TEXT: fffff880`1608ab78 fffff801`94c010ea : 00000000`00000000 00000000`00000050 fffff880`1608ace0 fffff801`94b854b8 : nt!RtlpBreakWithStatusInstruction fffff880`1608ab80 fffff801`94c00742 : 00000000`00000003 fffff880`1608ace0 fffff801`94b85ee0 fffff880`1608b230 : nt!KiBugCheckDebugBreak+0x12 fffff880`1608abe0 fffff801`94b06144 : 00000000`00000000 00000000`05fb5df8 00000000`00000238 00000000`05fb79b0 : nt!KeBugCheck2+0x79f fffff880`1608b300 fffff801`94c73e59 : 00000000`00000050 fffff880`055b4038 00000000`00000000 fffff880`1608b520 : nt!KeBugCheckEx+0x104 fffff880`1608b340 fffff801`94b40b6f : 00000000`00000000 fffff880`055b4038 fffffa80`0868f700 00000000`05fb6d01 : nt! ?? ::FNODOBFM::`string'+0x32c9f fffff880`1608b3e0 fffff801`94b03aee : 00000000`00000000 fffff980`05beaf10 00000000`c0000000 fffff880`1608b520 : nt!MmAccessFault+0x54f fffff880`1608b520 fffff880`176eaf9d : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00000000 : nt!KiPageFault+0x16e fffff880`1608b6b0 fffff880`176eb073 : 00000000`00000000 fffffa80`08688e40 fffff801`94d29400 00000000`00000000 : PROCEXP141+0x1f9d fffff880`1608b8a0 fffff801`950c8d26 : fffff980`05beaee0 00000000`00000002 fffffa80`086863b0 fffffa80`05021418 : PROCEXP141+0x2073 fffff880`1608b940 fffff801`94eef42f : fffff980`05beaee0 fffff880`1608bc80 fffff980`05beaff8 fffffa80`07a2fb00 : nt!IovCallDriver+0x3e6 fffff880`1608b990 fffff801`94eefdb6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd fffff880`1608bb20 fffff801`94b05053 : 00000000`00000000 00000000`00000000 00000000`05fb6901 fffffa80`07ef86c0 : nt!NtDeviceIoControlFile+0x56 fffff880`1608bb90 000007f8`3fd92c1a : 000007f8`3cdf3579 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 : nt!KiSystemServiceCopyEnd+0x13 00000000`05fb5df8 000007f8`3cdf3579 : 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 00000000`01574e90 : ntdll!ZwDeviceIoControlFile+0xa 00000000`05fb5e00 000007f8`3ec31880 : 00000000`83350028 00000000`00000000 00000000`000202ea 000007f7`423458a0 : KERNELBASE!DeviceIoControl+0x75 00000000`05fb5e70 000007f7`4237d8de : 00000000`00000000 00000000`05fb6820 00000000`05fb7441 00000000`05fb6920 : KERNEL32!DeviceIoControlImplementation+0x74 00000000`05fb5ec0 000007f7`42390bb3 : 00000000`00000064 00000000`000202e8 00000000`000002fc 00000000`05fb5fc0 : procexp64+0x3d8de 00000000`05fb5f20 000007f8`3f99b6ca : 00000000`000202ea 00000000`00000001 00000000`00000110 00000000`000202ea : procexp64+0x50bb3 00000000`05fb7300 000007f8`3f99b108 : 00000000`01574e90 00000000`00000000 00000000`00000110 00000000`000202e8 : USER32!UserCallDlgProcCheckWow+0x18b 00000000`05fb73d0 000007f8`3f9d3b19 : 00000000`05fb79a8 00000000`05fb7610 00000000`00000110 00000000`00002020 : USER32!DefDlgProcWorker+0xb8 00000000`05fb74a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`00000070 ffffffff`ffffffff : USER32!DefDlgProcA+0x39 00000000`05fb74e0 000007f8`3f9c22f9 : 00000000`05fb79a8 00000000`00000110 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fb75a0 000007f8`3f99c7a5 : 000007f7`424333dc 00000000`00000000 00000000`000202e8 000007f7`424333dc : USER32!SendMessageWorker+0xa72 00000000`05fb7650 000007f8`3f9ab889 : 00000000`00010298 000007f7`423905c0 00000000`00000001 000007f7`423905c0 : USER32!InternalCreateDialog+0x9f6 00000000`05fb77e0 000007f8`3f9ab936 : 000007f7`42340000 00000000`00010298 000007f7`423905c0 ffffffff`ffffffff : USER32!InternalDialogBox+0xf9 00000000`05fb7840 000007f8`3f9c9c3e : 000007f7`42340000 000007f7`423905c0 ffffffff`ffffffff 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x56 00000000`05fb7880 000007f7`423929b3 : 00000000`00010298 00000000`0364d670 00000000`00000000 00000000`0364cea0 : USER32!DialogBoxParamA+0x82 00000000`05fb78c0 000007f8`3f99b3b9 : 00000000`04fdd600 00000000`04fdd6a6 00000000`534f5047 00000000`01158de0 : procexp64+0x529b3 00000000`05fb8b30 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`00000111 00000000`0000043d : USER32!UserCallDlgProcCheckWow+0x135 00000000`05fb8c00 000007f8`3f9d3b19 : 00000000`00000000 00000000`0000043d 00000000`00000111 00000000`00000000 : USER32!DefDlgProcWorker+0xb8 00000000`05fb8cd0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fba111 00000000`00000000 : USER32!DefDlgProcA+0x39 00000000`05fb8d10 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`00000111 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fb8dd0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`0000043d 00000000`00010298 00000000`00000018 : USER32!CallWindowProcAorW+0xd8 00000000`05fb8e20 000007f7`42344488 : 00000000`00000000 00000000`000d000c 000007f7`423e0838 00000000`6e74616c : USER32!CallWindowProcA+0x1b 00000000`05fb8e60 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`01158d00 00000000`544c4600 : procexp64+0x4488 00000000`05fb8ea0 000007f7`42345b08 : 00000000`00000001 00000000`0000043d 00000000`04039bc0 00000000`05fb9480 : procexp64+0x1fa7 00000000`05fb8ee0 000007f8`3f98171e : 00000000`00010298 00000000`0000004e 00000000`0000004e 00000000`00000000 : procexp64+0x5b08 00000000`05fb8fd0 000007f8`3f9c22f9 : 00000000`00000000 00000000`00000111 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fb9090 000007f8`3f9af30d : 00000000`00000111 00000000`0364d600 00000000`0000043d 00000000`00000111 : USER32!SendMessageWorker+0xa72 00000000`05fb9140 000007f7`42391ea9 : 00000000`00010298 00000000`00000000 00000000`0000004e 00000000`00010298 : USER32!SendMessageA+0x75 00000000`05fb9190 000007f8`3f99b3b9 : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000001 : procexp64+0x51ea9 00000000`05fba400 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`0000004e 00000000`00000414 : USER32!UserCallDlgProcCheckWow+0x135 00000000`05fba4d0 000007f8`3f9d3b19 : 00000000`05fbac40 00000000`00000414 00000000`0000004e 000007f8`3fd9541f : USER32!DefDlgProcWorker+0xb8 00000000`05fba5a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000000 : USER32!DefDlgProcA+0x39 00000000`05fba5e0 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`0000004e 00000000`05fbac40 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fba6a0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`00000414 00000000`00010298 000007f7`00000018 : USER32!CallWindowProcAorW+0xd8 00000000`05fba6f0 000007f7`42344488 : 00000000`00000000 ffffffff`000d000c 000007f7`423e0838 000007f8`3f981690 : USER32!CallWindowProcA+0x1b 00000000`05fba730 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`05fbaa00 00000000`00000000 : procexp64+0x4488 00000000`05fba770 000007f7`42345b08 : 00000000`00000001 00000000`00000414 00000000`04039bc0 00000000`00000000 : procexp64+0x1fa7 00000000`05fba7b0 000007f8`3f98171e : 00000000`05fba939 00000000`00010298 00000000`00000001 000007f8`3f984ba2 : procexp64+0x5b08 00000000`05fba8a0 000007f8`3f9c22f9 : 00000000`05fbac40 00000000`0000004e 00000000`80000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fba960 000007f8`3f98487a : 00000000`0001029a 00000000`00000000 00000000`00000414 00000000`015714f0 : USER32!SendMessageWorker+0xa72 00000000`05fbaa10 000007f8`3ad3840a : 00000000`03683d70 00000000`05fbac40 00000000`05fbab19 00000000`00010298 : USER32!SendMessageW+0x10a 00000000`05fbaa70 000007f8`3adcd6e5 : 00000000`00000001 00000000`fffffffd 00000000`03683d10 000007f8`3ae95b7d : COMCTL32!CCSendNotify+0x183 00000000`05fbab80 000007f8`3ae7f099 : 00000000`00000000 00000000`00000203 00000000`0002029e 00000000`0002029e : COMCTL32!CLVMouseManager::HandleMouse+0x6d5 00000000`05fbace0 000007f8`3acdaf36 : 00000000`00000001 00000000`00000203 00000000`0001029a 00000000`00000001 : COMCTL32!alloca_probe+0x151cf 00000000`05fbaf20 000007f8`3f98171e : 00000000`05fbb160 00000000`00000001 00000000`00000000 00000000`00000000 : COMCTL32!CListView::s_WndProc+0x52 00000000`05fbaf70 000007f8`3f98432b : 00000000`01571670 000007f8`3acdaee0 00000000`0001029a 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fbb030 000007f8`3acc125d : 00000000`05fbb290 00000000`0001029a 00000000`0001029a 00000000`00000001 : USER32!CallWindowProcW+0x93 00000000`05fbb090 000007f8`3acc11f6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01571930 : COMCTL32!CallOriginalWndProc+0x1d 00000000`05fbb0d0 000007f8`3acc132d : 00000000`00000001 00000000`00000203 00000000`00000000 00000000`00000000 : COMCTL32!CallNextSubclassProc+0x82 00000000`05fbb130 000007f8`3acc11f6 : 00000000`00000048 00000000`00000001 00000000`00000000 000007f8`3fd9541f : COMCTL32!TTSubclassProc+0xbd 00000000`05fbb1e0 000007f8`3acc10f2 : 00000000`00000001 00000000`00000001 00000000`002e00f5 00000000`0001029a : COMCTL32!CallNextSubclassProc+0x82 00000000`05fbb240 000007f8`3f98171e : 000007f8`3f981742 00000000`00000000 00000000`0001024a 00000000`00000000 : COMCTL32!MasterSubclassProc+0xa2 00000000`05fbb2e0 000007f8`3f9c9020 : 000007f8`3acc1050 00000000`0001029a 00000000`00000203 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fbb3a0 000007f8`3f9c8f3b : 00000000`0001029a 00000000`00000203 00000000`00000000 00000000`01571670 : USER32!CallWindowProcAorW+0xd8 00000000`05fbb3f0 000007f7`42365923 : 00000000`0001029a 00000000`00000000 00000000`05fbb903 00000000`05fbb903 : USER32!CallWindowProcA+0x1b 00000000`05fbb430 000007f8`3f98171e : 000007f8`3f981742 000007f8`00000000 00000000`00000000 00000000`80000000 : procexp64+0x25923 00000000`05fbf950 000007f8`3f9814d7 : 00000000`01571670 00000000`05fbfb90 000007f7`41f9a800 000007f7`42364cb0 : USER32!UserCallWinProcCheckWow+0x13a 00000000`05fbfa10 000007f8`3f9ae067 : 00000000`05fbfba0 00000000`01571670 00000000`01562810 00000000`05fbfb90 : USER32!DispatchMessageWorker+0x1a7 00000000`05fbfa90 000007f8`3f9d3bac : 00000000`00000000 00000000`05fbfba0 00000000`00100250 00000000`000d0153 : USER32!IsDialogMessageW+0x242 00000000`05fbfb20 000007f7`4239775e : 00000000`00000578 00000000`00000002 00000000`0403e5c0 00000000`00000000 : USER32!IsDialogMessageA+0x7c 00000000`05fbfb50 000007f7`423b215f : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5775e 00000000`05fbfbf0 000007f7`423b2209 : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x7215f 00000000`05fbfc20 000007f8`3ec3167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x72209 STACK_COMMAND: kb FOLLOWUP_IP: PROCEXP141+1f9d fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h] SYMBOL_STACK_INDEX: 7 SYMBOL_NAME: PROCEXP141+1f9d FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d Followup: MachineOwner --------- Gonna turn on verifier for this driver and repeat. |
|
|
|
|
danmcleran
Newbie
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2013 at 8:24pm |
|
Turned on verifier for PROCEXP141.SYS
1: kd> !verifier Verify Level 209bb ... enabled options are: Special pool Special irql All pool allocations checked on unload Io subsystem checking enabled Deadlock detection enabled DMA checking enabled Security checks enabled Miscellaneous checks enabled Summary of All Verifier Statistics RaiseIrqls 0x0 AcquireSpinLocks 0x0 Synch Executions 0x0 Trims 0x72c Pool Allocations Attempted 0x17762 Pool Allocations Succeeded 0x17762 Pool Allocations Succeeded SpecialPool 0x17762 Pool Allocations With NO TAG 0x0 Pool Allocations Failed 0x0 Resource Allocations Failed Deliberately 0x0 Current paged pool allocations 0x0 for 00000000 bytes Peak paged pool allocations 0x2 for 000000B0 bytes Current nonpaged pool allocations 0x0 for 00000000 bytes Peak nonpaged pool allocations 0x0 for 00000000 bytes Now I get a bugcheck when I try and launch the program (procexp64.exe) as admin: 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_VERIFIER_DETECTED_VIOLATION (c4) A device driver attempting to corrupt the system has been caught. This is because the driver was specified in the registry as being suspect (by the administrator) and the kernel has enabled substantial checking of this driver. If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes. Arguments: Arg1: 00000000000000f6, Referencing user handle as KernelMode. Arg2: 00000000000002cc, Handle value being referenced. Arg3: fffffa8008677940, Address of the current process. Arg4: fffff880172bbbb7, Address inside the driver that is performing the incorrect reference. Debugging Details: ------------------ BUGCHECK_STR: 0xc4_f6 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: procexp64.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff803cc9f40ea to fffff803cc8f3930 STACK_TEXT: fffff880`17796d58 fffff803`cc9f40ea : 00000000`00000000 00000000`000000c4 fffff880`17796ec0 fffff803`cc9784b8 : nt!RtlpBreakWithStatusInstruction fffff880`17796d60 fffff803`cc9f3742 : 00000000`00000003 fffff880`17796ec0 fffff803`cc978e90 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12 fffff880`17796dc0 fffff803`cc8f9144 : 00000000`000002cc 00000000`00000003 00000000`00000008 00000000`000002cc : nt!KeBugCheck2+0x79f fffff880`177974e0 fffff803`ccec4fa0 : 00000000`000000c4 00000000`000000f6 00000000`000002cc fffffa80`08677940 : nt!KeBugCheckEx+0x104 fffff880`17797520 fffff803`ccecca78 : fffffa80`08677940 00000000`00000000 00000000`00000000 00000000`00000001 : nt!VerifierBugCheckIfAppropriate+0x3c fffff880`17797560 fffff803`cce7ebb5 : 00000000`00000000 00000000`00000000 fffff880`177977d0 00000000`00000000 : nt!VfCheckUserHandle+0x1b8 fffff880`17797640 fffff803`ccc64484 : 00000000`00000000 00000000`00001000 fffffa80`04eecf20 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x37e4c fffff880`177976d0 fffff803`cc8f8053 : fffffa80`085bc080 fffff980`02c10ff0 00000000`00000000 fffffa80`05a130b8 : nt!NtOpenProcessTokenEx+0xa4 fffff880`17797750 fffff803`cc8fd230 : fffff880`172bbbb7 fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 : nt!KiSystemServiceCopyEnd+0x13 fffff880`177978e8 fffff880`172bbbb7 : fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 00000000`0000001f : nt!KiServiceLinkage fffff880`177978f0 fffff880`172bc073 : 00000000`00000000 fffffa80`0863dbc0 fffff803`ccb1c400 00000000`00000000 : PROCEXP141+0x1bb7 fffff880`17797ae0 fffff803`ccebbd26 : fffff980`065f0ee0 00000000`00000002 fffffa80`086b15d0 fffffa80`0501e298 : PROCEXP141+0x2073 fffff880`17797b80 fffff803`ccce242f : fffff980`065f0ee0 fffff880`17797ec0 fffff980`065f0ff8 fffffa80`05a13010 : nt!IovCallDriver+0x3e6 fffff880`17797bd0 fffff803`ccce2db6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd fffff880`17797d60 fffff803`cc8f8053 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000b18 : nt!NtDeviceIoControlFile+0x56 fffff880`17797dd0 000007fe`3ce52c1a : 000007fe`3a0e3579 00000000`00e442d0 00000000`00000000 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x13 00000000`00d6da68 000007fe`3a0e3579 : 00000000`00e442d0 00000000`00000000 00000000`00000001 000007fe`3c96a783 : ntdll!ZwDeviceIoControlFile+0xa 00000000`00d6da70 000007fe`3c431880 : 00000000`8335000c 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DeviceIoControl+0x75 00000000`00d6dae0 000007f6`f874d8de : 00000000`00000000 00000000`00000000 00000000`00000104 00000000`00000b18 : KERNEL32!DeviceIoControlImplementation+0x74 00000000`00d6db30 000007f6`f875919d : 00000000`00d6e2d8 000007f6`f87b0879 00000000`00000b18 00000000`000002cc : procexp64+0x3d8de 00000000`00d6db90 000007f6`f87492c0 : 00000000`00000000 00000000`00000000 00000000`00070227 000007f6`f87d2c80 : procexp64+0x4919d 00000000`00d6e540 000007f6`f871fe46 : 00000000`00000000 00000000`00d6f000 00000000`00000001 00000000`000301a8 : procexp64+0x392c0 00000000`00d6ed60 000007f6`f8748a66 : 00000000`00000001 00000000`000301a8 00000000`00000000 00000000`000301a8 : procexp64+0xfe46 00000000`00d6eda0 000007fe`3a2c3e95 : 00000000`00000001 00000000`00d6f200 00000000`00000000 000007fe`3ce5541f : procexp64+0x38a66 00000000`00d6ede0 000007fe`3a2c2a62 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x18d 00000000`00d6eea0 000007fe`3a2caa7c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchClientMessage+0xf8 00000000`00d6ef00 000007fe`3ce54b47 : ffffffff`ffffffff 000007fe`3a2c1690 000007fe`3a2c1742 000007fe`3a2c1690 : USER32!_fnINLPCREATESTRUCT+0x98 00000000`00d6ef60 000007fe`3a2cc35a : 000007fe`3a2cc2dc 00000000`00d6f200 00000000`00d6f510 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue 00000000`00d6f0f8 000007fe`3a2cc2dc : 00000000`00d6f200 00000000`00d6f510 00000000`00000000 000007fe`06000006 : USER32!ZwUserCreateWindowEx+0xa 00000000`00d6f100 000007fe`3a2cc55c : 00000000`00000012 000007f6`f87b3fe0 00000000`00d6f580 00000000`00000000 : USER32!VerNtUserCreateWindowEx+0x21c 00000000`00d6f480 000007fe`3a2d62df : 00005e14`00000226 00000000`00000001 00000000`00000001 00000000`00cf0000 : USER32!CreateWindowInternal+0x1ed 00000000`00d6f5e0 000007f6`f8724f6b : 00000000`00000010 00000000`00000010 00000000`00000001 000007f6`f8710000 : USER32!CreateWindowExA+0x7f 00000000`00d6f670 000007f6`f877bc0b : 00000000`00000000 00000000`00de2625 000007f6`f8710000 00000000`00000000 : procexp64+0x14f6b 00000000`00d6f740 000007f6`f8784c3f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x6bc0b 00000000`00d6f8b0 000007fe`3c43167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x74c3f 00000000`00d6f960 000007fe`3ce6c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1a 00000000`00d6f990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d STACK_COMMAND: kb FOLLOWUP_IP: PROCEXP141+1bb7 fffff880`172bbbb7 e93b020000 jmp PROCEXP141+0x1df7 (fffff880`172bbdf7) SYMBOL_STACK_INDEX: a SYMBOL_NAME: PROCEXP141+1bb7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: PROCEXP141 IMAGE_NAME: PROCEXP141.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4bc6db36 FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP141+1bb7 BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP141+1bb7 Followup: MachineOwner --------- |
|
|
|
|
danmcleran
Newbie
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2013 at 8:58pm |
|
Solution?
No bugcheck if I do not run as admin. Any explanation?
|
|
|
|
|
MagicAndre1981
Moderator Group
Joined: 08 January 2007 Location: Germany Status: Offline Points: 1456 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 January 2013 at 5:09am |
|
why are you not using the latest 15.xx version?
|
|
|
|
|
danmcleran
Newbie
Joined: 03 January 2013 Location: United States Status: Offline Points: 8 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 January 2013 at 10:00pm |
|
I had downloaded Sysinternals Suite not long ago so I thought I had the latest. I will need to go check for individual updates.
|
|
|
|
|
wj32
Senior Member 
Joined: 16 January 2009 Location: Australia Status: Offline Points: 1016 |
Post Options
Thanks(1)
Quote Reply
Posted: 05 January 2013 at 4:05am |
|
Don't run verifier on PE's driver with the handle checks. You will always get a crash since it opens handles in kernel-mode to allow viewing tokens of protected processes.
|
|
|
PH, a free and open source process viewer.
|
|
|
|
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options